From: NeilBrown <neilb@suse.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Steve Dickson <SteveD@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 0/3] Various gssd fixes including machine-credential issue.
Date: Mon, 3 Jun 2013 12:23:19 +1000 [thread overview]
Message-ID: <20130603122319.47f4e0dd@notabene.brown> (raw)
In-Reply-To: <A2E2CEA9-4F2B-4A3F-8661-36D1E6288B0F@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]
On Sun, 2 Jun 2013 22:01:50 -0400 Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On Jun 2, 2013, at 9:00 PM, Neil Brown <neilb@suse.de> wrote:
>
> > As you probably know, since 3.7 (I think) Linux NFS has explicitly
> > asked for machine credentials for certain requests rather than asking
> > for root credentials as is previously did.
> > This causes a regression for people who don't have any machine
> > credentials configured and use "gssd -n".
> >
> > I gather this was discussed on the mailing list earlier this year but
> > not resolved.
>
> It's resolved in 3.10-rc.
>
> The kernel will attempt to use krb5i for lease management operations. If that fails because there is no keytab available, it falls back to using AUTH_SYS.
And if the server refuses to accept AUTH_SYS?
I guess this is commit 79d852bf5e7691dc7 ?? It seems to say that the server
should always accept AUTH_SYS ... is that right?
That commit isn't tagged for -stable.
So do we still need to make it work for 3.7,3.8,3.9 users?
Thanks,
NeilBrown
>
>
> > I would like to re-awaken the issue and offer a resolution (which has
> > been tested and found effective by a customer).
> >
> > Hence these three patches. The first two are minor issues that I
> > stumbled over while trying to understand the problem and are not
> > critical but probably should be fixed.
> >
> > The third addresses the above mentioned issue. It introduces a
> > variable "machine_uses_root_credentials" which is similar to the
> > current "root_uses_machine_credentials". It also adds a "-N" flag to
> > set this variable.
> >
> > I'm not certain what the defaults should be. For backward
> > compatibility it would be best if '-n' set the this new variable as
> > well as clearing the old one, but then I'm not sure what exactly -N
> > should do.
> >
> > Comments welcome.
> >
> > Thanks,
> > NeilBrown
> >
> >
> >
> > ---
> >
> > Neil Brown (3):
> > krb5_utils: remove redundant array size.
> > krb5_util: don't give up on machine credential if hostname not available.
> > gssd: add -N option to use root credentials as machine credentials.
> >
> >
> > utils/gssd/gssd.c | 9 ++++++---
> > utils/gssd/gssd.h | 1 +
> > utils/gssd/gssd.man | 13 ++++++++++++-
> > utils/gssd/gssd_proc.c | 12 +++++++-----
> > utils/gssd/krb5_util.c | 10 +++++++---
> > 5 files changed, 33 insertions(+), 12 deletions(-)
> >
> > --
> > Signature
> >
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2013-06-03 2:23 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-03 1:00 [PATCH 0/3] Various gssd fixes including machine-credential issue Neil Brown
2013-06-03 1:00 ` [PATCH 1/3] krb5_utils: remove redundant array size Neil Brown
2013-07-01 16:05 ` Steve Dickson
2013-06-03 1:00 ` [PATCH 3/3] gssd: add -N option to use root credentials as machine credentials Neil Brown
2013-07-01 16:23 ` Steve Dickson
2013-07-01 21:35 ` NeilBrown
2013-06-03 1:00 ` [PATCH 2/3] krb5_util: don't give up on machine credential if hostname not available Neil Brown
2013-07-01 16:22 ` Steve Dickson
2013-07-01 21:56 ` NeilBrown
2013-07-02 12:29 ` Steve Dickson
2013-07-02 12:29 ` Steve Dickson
2013-06-03 2:01 ` [PATCH 0/3] Various gssd fixes including machine-credential issue Chuck Lever
2013-06-03 2:23 ` NeilBrown [this message]
2013-06-03 2:45 ` Chuck Lever
2013-06-03 3:01 ` NeilBrown
2013-06-03 4:32 ` Chuck Lever
2013-06-03 23:30 ` NeilBrown
2013-06-04 1:13 ` Chuck Lever
2013-06-04 19:16 ` Chuck Lever
2013-06-05 1:26 ` NeilBrown
2013-06-05 15:37 ` Chuck Lever
2013-06-05 17:14 ` Chuck Lever
2013-06-05 23:53 ` NeilBrown
2013-06-05 23:43 ` NeilBrown
2013-06-12 6:12 ` NeilBrown
2013-06-12 16:01 ` Chuck Lever
-- strict thread matches above, loose matches on Subject: below --
2013-06-05 14:05 E.G. Keizer
2013-06-05 14:25 ` Myklebust, Trond
2013-06-05 14:48 ` E.G. Keizer
2013-06-05 15:14 ` Myklebust, Trond
2013-06-05 15:19 ` Chuck Lever
2013-06-05 15:23 ` Myklebust, Trond
2013-06-05 15:24 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130603122319.47f4e0dd@notabene.brown \
--to=neilb@suse.de \
--cc=SteveD@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.